OpenBSD Journal

[Patch 009] httpd for 3.3

Contributed by jose on from the fix-your-httpd dept.

A patch for 3.3-stable has been released which addresses a security problem with the Apache web server:
A user with write permission to httpd.conf or a .htaccess file can crash httpd(8) or potentially run arbitrary code as the user www (although it is believed that ProPolice will prevent code execution).
You can find the patch here: 3.3/common/009_httpd.patch .

No word yet on 3.2-stable or any patch for the new 3.4-stable branch.

Update: Patch 004 for 3.4 has been released to fix this problem.

(Comments are closed)


Comments
  1. By Scooter () on

    This patch is for the 1.3 branch in PKGs. right?

    Is the Apache2 running well for everyone? threads not a problem? any comments for the "worker" MPM?

    TIA - Scooter

    Comments
    1. By mirabile () mirabile@bsdcow.net on https://MirBSD.BSDadvocacy.org:8890/

      Apache 2.0 won't go into the tree. Not over
      henning@'s dead body.

      And I fully ACK that decision.
      Apache 1.3 is already ugly enough, to begin with.

      Comments
      1. By Anonymous Coward () on

        Apache should just be removed altogether.. It can be supported nearly as well with all our custom patches as a port. Then add an Apache2 port and let the user decide.

        Its simple really..

        Comments
        1. By Pablo Méndez Hernández () ciph3r@telefonica.net on www.citfi.org

          If you don't want to have apache in your system, you can do your own release:

          $ cat /etc/mk.conf
          SKIPDIR+= usr.sbin/httpd

          ... will do that for you.

          (I really apreciate henning@'s work with apache and don't do that on my machines)

  2. By dlg () dlg@dorkzilla.org on http://www.dorkzilla.org/~dlg

    the 3.3 patch applies cleanly to the 3.2 source. just follow the instructions as you would for 3.3.

  3. By Gerardo Santana Gómez Garrido () santana at openbsd.org.mx on http://www.openbsd.org.mx/~santana/

    I just wonder why the patch was made from /usr/src/usr.sbin instead of /usr/src as always.

    Comments
    1. By Henning Brauer () henning@ on mailto:henning@

      because... because... because... I just did it that way ;-)
      sorry, didn't think about that.

  4. By chris humphries () chris@unixfu.net on http://unixfu.net/

    arent kiss and apache/sendmail contradictory?

    amazed it is still in by default, hey but it is secure cause it is turned off. just dont open door sendmail and door apache in your new house, other than that it is safe.

    needs to be re-thunked? but i guess, like i do, if i dont like it, modify my configuration on the server :)

    just curious of consistency with default software.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]